Oracle TNS Enumeration
Overview
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks. Initially introduced as part of the Oracle Net Services software suite, TNS supports various networking protocols between Oracle databases and client applications, such as IPX/SPX and TCP/IP protocol stacks.
Key Characteristics:
Port 1521: Default Oracle TNS port
Authentication: Username/password
SID: System Identifier for database instances
Protocol: Oracle Native Network Protocol
Industries: Healthcare, finance, retail (large, complex databases)
TNS Features and Capabilities
TNS has been updated to support newer technologies and provides:
Name resolution
Resolves service names to network addresses
Connection management
Manages database connections and sessions
Load balancing
Distributes connections across multiple instances
Security
Built-in encryption mechanism for data transmission
IPv6 Support
Modern network protocol support
SSL/TLS Encryption
Additional security layer over TCP/IP
Advanced TNS Capabilities
Security Features
Encryption: Client-server communication encryption
Authentication: Host-based and user-based authentication
Network Security: Protection against unauthorized access
Administrative Tools
Performance Monitoring: Comprehensive performance analysis tools
Error Reporting: Detailed logging capabilities
Workload Management: Database service management
Fault Tolerance: High availability through database services
Default Configuration
Basic TNS Configuration
By default, the Oracle TNS listener:
Port: Listens on TCP/1521 (configurable)
Protocols: Supports TCP/IP, UDP, IPX/SPX, and AppleTalk
Interfaces: Can listen on multiple network interfaces
Management: Remotely manageable in Oracle 8i/9i (not in 10g/11g)
Security Features
Host Authorization: Accepts connections only from authorized hosts
Basic Authentication: Uses hostnames, IP addresses, usernames, and passwords
Encryption: Oracle Net Services encrypts client-server communication
Configuration Files
tnsnames.ora (Client-side)
The client-side configuration file used by Oracle Net Services to resolve service names:
Key Components:
Service Name: ORCL (client identifier)
Host: 10.129.11.102 (database server)
Port: 1521 (listener port)
Service: orcl (database service name)
listener.ora (Server-side)
The server-side configuration file defining listener process properties:
TNS Configuration Parameters
Essential Settings
DESCRIPTION
Descriptor providing database name and connection type
ADDRESS
Network address including hostname and port number
PROTOCOL
Network protocol used for communication
PORT
Port number for server communication
CONNECT_DATA
Connection attributes (service name, SID, protocol)
INSTANCE_NAME
Database instance name for client connection
SERVICE_NAME
Service name for client connection
SERVER
Server type (dedicated or shared)
USER
Username for database authentication
PASSWORD
Password for database authentication
Advanced Settings
SECURITY
Connection security type
VALIDATE_CERT
SSL/TLS certificate validation
SSL_VERSION
SSL/TLS version for connection
CONNECT_TIMEOUT
Connection establishment time limit
RECEIVE_TIMEOUT
Response receiving time limit
SEND_TIMEOUT
Request sending time limit
SQLNET.EXPIRE_TIME
Connection failure detection time limit
TRACE_LEVEL
Database connection tracing level
TRACE_DIRECTORY
Trace file storage directory
TRACE_FILE_NAME
Trace file name
LOG_FILE
Log information storage file
Oracle Version Differences
Password Defaults
Oracle 9: Default password
CHANGE_ON_INSTALLOracle 10: No default password set
Oracle DBSNMP: Default password
dbsnmp
Service Integration
Oracle TNS is often used with:
Oracle DBSNMP
Oracle Application Server
Oracle Enterprise Manager
Oracle Fusion Middleware
Web servers
Legacy services (like finger service)
Security Features
PL/SQL Exclusion List
Oracle databases can be protected using PL/SQL Exclusion List (PlsqlExclusionList):
Location:
$ORACLE_HOME/sqldeveloperdirectoryPurpose: Text file containing PL/SQL packages to exclude from execution
Function: Serves as a blacklist for Oracle Application Server
Implementation: Loaded into database instance for package restrictions
Setting up Oracle TNS Tools
Complete Setup Script
Testing ODAT Installation
Enumeration Techniques
1. Service Detection
2. SID Enumeration
System Identifier (SID) Concepts
Purpose: Unique name identifying a particular database instance
Multiple Instances: Each instance has its own System ID
Connection: Client specifies SID in connection string
Default: Uses tnsnames.ora value if not specified
Management: Used by DBAs to monitor and manage instances
SID Brute Forcing with Nmap
3. ODAT Comprehensive Enumeration
Database Interaction
SQLplus Connection
Library Error Fix
Database Enumeration
Basic Database Information
Privilege Escalation
Password Hash Extraction
Extract User Password Hashes
File Upload Capabilities
Web Server Default Paths
Linux
/var/www/html
Windows
C:\inetpub\wwwroot
File Upload with ODAT
Verify File Upload
HTB Academy Lab Questions
Question: Password Hash Extraction
Task: Enumerate the target Oracle database and submit the password hash of the user DBSNMP
Solution:
Advanced Enumeration Techniques
ODAT Module Overview
Security Assessment
Common Vulnerabilities
Default Credentials: Standard Oracle accounts with default passwords
SID Enumeration: Brute force attacks on SID values
Privilege Escalation: Weak privilege controls
File Upload: Arbitrary file upload capabilities
Password Hash Extraction: Weak password hashing
Enumeration Checklist
Attack Vectors
1. Credential-based Access
2. File Upload Exploitation
3. Database Information Extraction
Defensive Measures
Security Best Practices
Change Default Passwords: Replace all default Oracle passwords
Restrict Network Access: Limit TNS listener network exposure
Enable Encryption: Use SSL/TLS for all connections
Regular Updates: Apply Oracle security patches
Monitor Access: Enable audit logging
Least Privilege: Restrict database user permissions
Last updated